Skip to content

Why OT Endpoints Become a Security Risk

BOTAHRY DEX – stock.adobe.com. by. Thomas Joos. Last updated: 21 May 2026. Eleven device types appear for the first time in the ranking of riskiest devices. In addition to classic IT components, these include primarily specialized endpoints such as time clocks, RFID readers, BACnet routers, Power Distribution Units (PDU), and medical systems, including DICOM gateways and image printers. The fact that, according to the Forescout analysis The Riskiest Devices of 2026, approximately 75 percent of today’s device types classified as critical did not even appear on the radar two years ago underscores the enormous dynamism of the threat landscape. Securing serial-to-IP converters and edge bridges. Serial-to-IP converters transport digital values from RTUs (Remote Terminal Units), relays, PLCs (Programmable Logic Controllers), or bedside monitors into the IP backbone in substations, water treatment plants, CNC production lines, rail signal systems, and in patient monitoring. The BRIDGE:BREAK research by Forescout identifies 22 new vulnerabilities in devices from the Lantronix EDS series and in Silex SD-330AC. Tens of thousands of these converters are reachable online in networks, often with default credentials and without patch history. The potential danger is physical in nature: attackers can manipulate sensor values for pressure, flow, or vital data before they reach SCADA or monitoring systems. Conversely, actuator commands can be falsified, which has direct impacts on plant safety. Strategy for securing: Inventory: Capture by manufacturer, firmware, and segment. Hardening: Disabling unencrypted services (HTTP, Telnet) and migration to SNMPv3. Isolation: Placement in strictly regulated segments with communication exclusively to the SCADA system. Validation: Deployment of OT gateways with Deep Packet Inspection (DPI) that check telegrams against reference models. Figure 1: Serial-to-IP converters and other external devices should be under observation. Microsegmentation: Limiting damage after an attack. Microsegmentation addresses the point where classic perimeter security fails. Instead of flat VLANs, enforcement points are distributed directly at the device or workload level. According to Gartner, approximately 60 percent of enterprises will use zero-trust architectures with multiple forms of microsegmentation by the end of 2026. The NIST Framework SP 800-207 classifies microsegmentation as a central control point within a zero-trust architecture. The path to implementation: Passive flow map: The current communication is documented via NetFlow, sFlow, or SPAN ports. Classification: Systems are divided into zones (e.g., production, medical technology, IoT sensors) by function and risk. Monitor mode: The ruleset is initially tested without blocking to rule out false alarms. Enforcement: Switch to default-deny, where each connection requires explicit permission. Between IT and sensitive areas (production/medical technology), classical separations in accordance with IEC 62443 with DMZs and jump hosts must also remain in place. In a modern architecture, there must no longer be a direct path from the office client to the PLC. Lessons from practice. In its 2025 situation report, the BSI counted an average of 119 newly known vulnerabilities per day, which represents a 24 percent increase compared to the previous period. 48 percent of KRITIS operators do not have a sufficiently mature attack detection system. According to the ENISA Threat Landscape 2025, exploitation of known vulnerabilities accounts for 21.3 percent of all initial access vectors and ranks behind phishing with 60 percent, but well ahead of stolen credentials. How critical insufficient segmentation can be was demonstrated by the coordinated cyber attack on the Polish energy sector in late 2025: exposed management interfaces served as an entry point from which attackers could spread unimpeded into insufficiently segmented OT networks. The situation is particularly acute in healthcare: medical devices can be infected from the factory and attempt to download malware from the internet. Consistent network separation is no longer merely a matter of data security here, but of patient protection. Learn more about IoT, IIoT, and Industry 4.0

ComputerWeekly.de

Share on: